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Security Considerations for 
the SHA-O and SHA-1 Message-Digest Algorithms 
Abstract 


This document includes security considerations for the SHA-O and 
SHA-1 message digest algorithm. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Not all documents 


approved by the IESG are a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc6194. 


Copyright Notice 


Copyright (c) 2011 IETF Trust and the persons identified as the 
document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(http://trustee.ietf.org/license-info) in effect on the date of 
publication of this document. Please review these documents 
carefully, as they describe your rights and restrictions with respect 
to this document. Code Components extracted from this document must 
include Simplified BSD License text as described in Section 4.e of 
the Trust Legal Provisions and are provided without warranty as 
described in the Simplified BSD License. 
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Introduction 


The Secure Hash Algorithms are specified in [SHS]. A previous 
version of [SHS] also specified SHA-0. SHA-O, first published in 
1993, and SHA-1, first published in 1996, are message digest 
algorithms, sometimes referred to as hash functions or hash 
algorithms, that take as input a message of arbitrary length and 
produce as output a 160-bit "fingerprint" or "message digest" of the 
input. The published attacks against both algorithms show that it is 
not prudent to use either algorithm when collision resistance is 
required. 


[HASH-Attack] summarizes the use of hashes in Internet protocols and 
discusses how attacks against a message digest algorithm’s one-way 
and collision-free properties affect and do not affect Internet 
protocols. Familiarity with [HASH-Attack] is assumed. 


Some may find the guidance for key lengths and algorithm strengths in 
[SP800-57] and [SP800-131] useful. 


SHA-0 Security Considerations 


What follows are summaries of recent attacks against SHA-O’s 
collision, pre-image, and second pre-image resistance. Additionally, 
attacks against SHA-O when used as a keyed-hash (e.g., HMAC-SHA-0) 
are discussed. 


The U.S. National Institute of Standards and Technology (NIST) 
withdrew SHA-O in 1996. That is, NIST no longer considers it 
appropriate to use SHA-0 for any transactions associated with the use 
of cryptography by U.S. federal government agencies for the 
protection of sensitive, but unclassified information. SHA-O is 
discussed here only for the sake of completeness. 


Any use of SHA-O is strongly discouraged. Analysis of SHA-O 
continues today because many see it as a weaker version of SHA-1. 


1. Collision Resistance 


The first attack on SHA-0O was published in 1998 [CHJ01998] and showed 
that collisions can be found in 2%61 operations. In 2006, 

[NSSYK2006] showed an improved attack that can find collisions in 
2°36 operations. 


In any case, the known research results indicate that SHA-O is not as 
collision resistant as expected. The collision security strength is 
significantly less than an ideal hash function (i.e., 2^36 compared 
to 2°80). 
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2.2. Pre-Image and Second Pre-Image Resistance 


The pre-image and second pre-image attacks published on reduced 
versions of SHA-O (i.e., less than 80 rounds) indicate that the 
security margin of SHA-O is resistant to these attacks. [deCARE2008] 
showed a pre-image attack on 49 out of 80 rounds with complexity of 
2°159, and [AOSA2009] showed a pre-image attack on 52 out of 80 
rounds with a complexity of 2%156. 


2.3. HMAC-SHA-0 


The current attack vectors on HMAC can be classified as follows: 
distinguishing attacks, existential forgery attacks, and key recovery 
attacks. Key recovery attacks are by far the most severe. 


Attacks on hash functions can be conducted entirely offline, since 
the attacker can generate unlimited message-hash value pairs. 

Attacks on HMACs must be online because attackers need a large amount 
of HMAC values to deduce the key. The best results for a partial key 
recovery attack on HMAC-SHAO were published at Asiacrypt 2006 with 
2°84 queries and 2^60 SHA-O computations [COYI2006]. 


3. SHA-1 Security Considerations 


What follows are recent attacks against SHA-1’s collision, pre-image, 
and second pre-image resistance. Additionally, attacks against SHA-1 
when used as a keyed-hash (i.e., HMAC-SHA-1) are discussed. 


It must be noted that NIST has recommended that SHA-1 not be used for 
generating digital signatures after December 31, 2010, and has 
specified that it not be used for generating digital signatures by 
U.S. federal government agencies "for the protection of sensitive, 
but unclassified information" after December 31, 2013 [SP800-131]. 


3.1. Collision Resistance 


The first attack on SHA-1 was published in early 2005 [RIOS2005]. 
This attack described a theoretical attack on a version of SHA-1 
reduced to 53 rounds. The very next month [WLY2005] showed 
collisions in the full 80 rounds in 2^69 operations. Since then, 
many new analysis methods have been developed to improve the attack 
presented in [WLY2005]. However, there are no published results that 
improve upon the results found in [WLY2005]. [Man2008/469], which is 
the International Association for Cryptologic Research (IACR) ePrint 
version of [Man2009], claimed that using the method presented in the 
paper, a collision of full SHA-1 can be found in 2%51 hash function 
calls. However, this claim is absent from the published conference 
paper [Man2009]. 
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In any case, the known research results indicate that SHA-1 is not as 
collision resistant as expected. The collision security strength is 
significantly less than an ideal hash function (i.e., 2°69 compared 
to 2°80). 


3.2. Pre-Image and Second Pre-Image Resistance 


There are no known pre-image or second pre-image attacks that are 
specific to the full round SHA-1 algorithm. [KeSch] discovered a 
general result for all narrow-pipe Merkle-Damgaard hash functions 
(which includes SHA-1), finding a second pre-image takes less than 


2^n computations. When n = 160, as is the case for SHA-1, it will 
take 2°106 computations to find a second pre-image in a 60-byte 
message. 


In the absence of full-round attacks, cryptographers consider 
reduced-round attacks for clues regarding an algorithm’s strength. 
Reduced-round attacks, where the number of reduced rounds is not more 
than a few less than the full rounds, have not been shown to relate 
to full-round attacks. However, the best reduced-round attack 
indicates a certain security margin. For example, if the best known 
attack is on 60 out of 80 rounds, then the algorithm has about 20 
rounds to resist improved attacks. However, the relationship between 
the number of rounds an attack can reach and the number of rounds 
defined in the algorithm is not linear; it does not provide a 
mathematical proof. In other words, reduced-round attacks indicate 
how strong the algorithm is with regard to a certain attack, not how 
close it is to being broken. Therefore, the following information 
about reduced-round attacks is included only for completeness. 


The pre-image and second pre-image attacks published on reduced 
versions of SHA-1 (i.e., less than 80 rounds) indicate that SHA-1 
retains a significant security margin against these attacks. 
[AOSA2009] showed a pre-image attack on 48 out of 80 rounds with 
complexity of 2%159. 


3.3.  HMAC-SHA-1 


As of today, there is no indication that attacks on SHA-1 can be 
extended to HMAC-SHA-1. 


4. Conclusions 


SHA-1 provides less collision resistance than was originally 
expected, and collision resistance has been shown to affect some (but 
not all) applications that use digital signatures. Designers of IETF 
protocols that use digital signature algorithms should strongly 
consider support for a hash algorithm with greater collision 
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resistance than that provided by SHA-1. Of course, SHA-O should 
continue to not be used in any IETF protocol. 


[Note: Protocol designers should review the current state of the art 
to ensure that selected hash algorithms provide sufficient security. 
At the time of publication, SHA-256 [SHS] is the most commonly 
specified alternative. The known (reduced-round) attacks on the 
collision resistance of SHA-256 indicate a significant security 
margin, and the longer message digest provides increased strength. ] 


Nearly all IETF protocols that use signatures assume existing public 
key infrastructures, and SHA-1 is still used in signatures nearly 
everywhere. Therefore, it is unwise to strictly prohibit the use of 
SHA-1 in signature algorithms. Protocols that permit the use of 
SHA-1-based digital signatures as an option should strongly consider 
referencing this document in the security considerations. 


A protocol designer might want to consider the use of SHA-1 with 
randomized hashing such as is specified in [SP800-107]. Note that 
randomized hashing expands the size of signatures and requires 
protocols to carry material that is not needed today. HMAC-SHA-1 
remains secure and is the preferred keyed-hash algorithm for IETF 
protocol design. 

5. Security Considerations 
This entire document is about security considerations. 
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